sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
<instagibbs>
"We show how to use the performance-degradation attack to amplify a side-channel enough to enable exploiting the new information leak. Using the combined attack, an adversary can break a private key of the secp256k1 curve, used in the Bitcoin protocol, after observing only 6 signatures."
<instagibbs>
OpenSSL, fwiw
<gwillen>
o_O wow that's really not so great
<jcorgan>
it's using openssl, so soon to be taken care of
<sipa>
jcorgan: signing has been not-OpenSSL since 0.10
<katu>
kanzure: cache stomping is relevant to all wNAF (and other precomputed ladders) implementations
<jcorgan>
sipa: oh, nice
<katu>
i suspect even even libsecp256k1 has a huge cache footprint? :)
<instagibbs>
its already taken care of, yeah
<instagibbs>
perhaps
<sipa>
katu: no wNAF used in signing, but yes, big cache
<katu>
sipa: just monitor the different memory lines in montgomery ladder (or similiar double-and-add there)
<gmaxwell>
nope.
<sipa>
katu: we don't use a montgomery ladder specifically for that reason
<katu>
ah
<katu>
neat :)
<sipa>
katu: the code executed, and the memory accessed is always independent of the secret
zookolaptop has quit [Ping timeout: 248 seconds]
<gmaxwell>
The memory accesses are entirely uniform in signing (assuming the compiler does nothing awful; which is something I've hand verified for a particular build-- but isn't promised by C, though it currently appears robust in existing compilers)
<jcorgan>
it's almost like you guys anticipated this and worked yourself silly reimplementing ECDSA properly
<gmaxwell>
(in theory a diabolical optimizing compiler could see through the conditional move structure and turn the accesses into indexing. But no such beast currently exists.)
<sipa>
jcorgan: i guess this is an example where theoretical security people were a step ahead
<katu>
jcorgan: i suspect bitcoin switched to its custom implementation exactly because of the earlier reported attack on openssl impl :)
<gmaxwell>
jcorgan: it's almost as if our source code had comments specifically describing these attacks and Bitcoin Core switched to using ours a year ago.
<sipa>
jcorgan: and the best practice advice had been "make memory accesses uniform" before such attacks became effective enough
<katu>
there are still fun attacks to go around tho, like "listening" to the EM noise from alu
<katu>
(or more likely bits being shuffled on lanes of dram memory bus)
<gmaxwell>
yea, we only have the weakest protections (but none none) against EMI/power sidechannels. TD-Linux was setting up a measurement rig, and got some initial results; but they were contanimated by noise from USB that made it hard to use them.. he should have new results soon.
<jcorgan>
wondered how that went
<kanzure>
katu: or gigahertz radio noise from RAM
<TD-Linux>
yeah new amplifier board built but not tested yet
<TD-Linux>
also connected to a rpi now so I don't move cables around each time I test it
<sipa>
heh, that paper mentions libsecp256k1 and its secp256k1_ecmult function.... but that isn't used for signing
<gmaxwell>
sigh.
<katu>
kanzure: would need some heavy RF equipment than just hobby SDR, but potentially much better bandwith than just low frequency clicks?
<sipa>
it's not technically saying it's vulnerable; it's listing various techniques used
<katu>
sipa: probably made same mistake as me, just poked the code, instead of setting breakpoints
<sipa>
or contacting the authors :p
<gmaxwell>
sipa: good because Yuval knows! We asked him(?) to review our code and he did! (and gave us useful feedback that we used to harden the implementation)
<sipa>
ah!
<sipa>
yes, i remember that; just didn't remember the name
<gmaxwell>
iirc he was the reason we changed from bitslice that was cacheline regular to indexless approach.
<kanzure>
this is why i do my name thing
<sipa>
gmaxwell: hmm, can't remember that; i though that was because of a paper that identified that bitslicing still brings lower indexes earlier available in memory
<sipa>
gmaxwell: but maybe he linked us to that paper
<gmaxwell>
He did, the ones that are cited in the source.
<gmaxwell>
DJB told me at FC15 that there was another paper which did the flush+reload attack with radically fewer than 200 probes, so I guess this is it. Funny that I didn't see this one before.
<gmaxwell>
katu: re "would need some heavy RF equipment than just hobby SDR" the solution TD-Linux is using is to just run the device under test at a very low clockrate, e.g. 2MHz.
<TD-Linux>
also the SD card I put in the new rpi supports DISCARD which is interesting. mkfs.ext4 picked it up and automatically cleared it
<gmaxwell>
And then sampling at a few MHz is fine, esp if driven off a sync clock.
<katu>
gmaxwell: neat :)
<katu>
gmaxwell: though gives skewed image regarding real world practicality (i assume the likes of trezor use internal crystal to prevent this?)
<TD-Linux>
I mean, the goal is to make something practical with a lot of conditions first, then remove the conditions :)
<gmaxwell>
trezor is not really hardened hardened against an attacker with physical access.
<katu>
(by "this" i mean the whole class of glitching attacks)
<jcorgan>
it's harder but you can sample incoherently and recover the clock, then retime the samples
<gmaxwell>
My hope is that we'd be able to make a blind sidchannel measurement for CI, like litterly measuring the cross-correlation between the same and different secrets, and then being able to give a "sidechain energy dB" which is a worst case measurement, and track it as part of CI.
Jaamg has joined #bitcoin-wizards
<gmaxwell>
katu: trezor has no security against glitching attacks. (in fact for a long time you could just read out the nonce hamming weight by timinig it over usb and be within +/- 1 99% of the time.
Burrito has quit [Quit: Leaving]
<gmaxwell>
(the implementation was so slow that you did not need exotic hardware to do sidechannel attacks on it)
<katu>
gmaxwell: hmm, i vaguely remember talking with stick and he was talking about some sort of hardened TI MCU
<katu>
though i'm completely oblivious about trezor
<TD-Linux>
the CPU I'm using for this is the same as the one in the trezor (stm32f4)
<katu>
ah
<gmaxwell>
katu: it has 'crypto' features which are mostly not useful for bitcoin applications.
Quanttek has quit [Ping timeout: 246 seconds]
<TD-Linux>
err actually I think trezor is stm32f2, but similar.
<katu>
not EM protected, but glitching is very very old attack
<katu>
i remember cloning sim cards through it mid 2000s :)
<gmaxwell>
I was told last night that someone had managed to use a rare earth magnet to glitch embedded devices. Actually seems like not a terrible idea, you can get a surface field if >1 tesla... then just move it fast over the chip, should cause a fair amount of current.
gielbier has quit [Read error: Connection reset by peer]
giel__ has joined #bitcoin-wizards
dEBRUYNE_ has joined #bitcoin-wizards
kang_ has joined #bitcoin-wizards
wallet42 has quit [Quit: Leaving.]
jcorgan has quit [Quit: ZNC - 1.6.0 - http://znc.in]
rht___ has joined #bitcoin-wizards
jcorgan has joined #bitcoin-wizards
jcorgan has joined #bitcoin-wizards
ielo has quit [Ping timeout: 246 seconds]
<bramc>
My commentary on modular square roots for proofs of sequential work, pasted from an email:
<bramc>
Modular square roots have the advantage that the checking time for them is super fast. They have the disadvantages that the space of a proof is linear-ish on the time it took to generate, and they might be optimized dramatically in the future, especially if custom hardware is built specifically to be as fast as possible, quadratic blowup of power be damned. On the plus side, at current speeds for and for the amounts of t
<bramc>
ime I want they probably work great. On the downside it's likely that it's possible to get two or three orders of magnitude improvement in their times, which would cause a massive disruption in the short term, and once that speedup has happened the linear relationship will have caused the sizes of proofs to become unacceptably large. On the plus side, I'd view fostering the generation of such hardware and causing it to b
<bramc>
e well optimized to the limits of current technology to be a positive thing in and of itself.
<bramc>
On the whole, the naive approach is still clearly winning, but maybe if the size/time tradeoff could be made exponentialish instead of linearish a more sophisticated approach would win, even if custom hardware has the potential to be massively faster.
<sipa>
why is the proof linear in the time it took to generate?
<sipa>
the proof is just the root of the number, no?
cocoBTC has quit [Quit: Leaving]
<sipa>
also, not every number has a square root
<bramc>
sipa, You do it for something which does have a square root, and the number of modular exponentiations you have to do is based on the length of the modulus in bits
justanotheruser has quit [Ping timeout: 240 seconds]
wallet42 has joined #bitcoin-wizards
<sipa>
bramc: i'm aware... but for something like PoW, I would expect that you have to try random inputs
<sipa>
bramc: which means that not only you need to square root quickly, you also need to be able to quickly determine that an input has none :)
<bramc>
sipa: I believe that if you use a group with a generator of 2, then always either x or -x is a quadratic residue, so the result of a challenge is either the square root of x or the square root of -x
<sipa>
right, indeed
Emcy_ has joined #bitcoin-wizards
Emcy has quit [Ping timeout: 260 seconds]
moa has joined #bitcoin-wizards
dEBRUYNE_ has quit [Ping timeout: 260 seconds]
justanotheruser has joined #bitcoin-wizards
Ylbam has quit [Quit: Connection closed for inactivity]
jaekwon has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
Monthrect is now known as Piper-Off
rusty has joined #bitcoin-wizards
moa has quit [Ping timeout: 260 seconds]
jtimon has joined #bitcoin-wizards
moa has joined #bitcoin-wizards
psgs_ has joined #bitcoin-wizards
rht___ has quit [Quit: Connection closed for inactivity]
psgs_ is now known as psgs
c-cex-yuriy has quit [Quit: Connection closed for inactivity]
bramc has quit [Quit: This computer has gone to sleep]
CodeShark_ has quit [Ping timeout: 240 seconds]
wallet42 has quit [Quit: Leaving.]
Iriez has joined #bitcoin-wizards
psgs has joined #bitcoin-wizards
penjenayah has joined #bitcoin-wizards
artifexd has joined #bitcoin-wizards
artifexd has quit [Changing host]
lomax__ has quit [Changing host]
lomax__ has joined #bitcoin-wizards
Guest6056 is now known as petertodd
Ylbam has quit [Changing host]
Ylbam has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
wallet42 has joined #bitcoin-wizards
p15 has quit [Ping timeout: 240 seconds]
wallet42 has quit [Quit: Leaving.]
psgs has quit [Quit: Leaving]
damethos has joined #bitcoin-wizards
orik has joined #bitcoin-wizards
damethos_ has joined #bitcoin-wizards
damethos has quit [Disconnected by services]
damethos_ is now known as damethos
damethos has quit [Remote host closed the connection]
matsjj has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
gielbier has joined #bitcoin-wizards
giel__ has quit [Read error: Connection reset by peer]
Guest36383 has quit [Quit: Connection closed for inactivity]
dEBRUYNE_ has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
GAit has quit [Quit: Leaving.]
GAit has joined #bitcoin-wizards
moa has quit [Quit: Leaving.]
Myagui has quit [Excess Flood]
ThomasV has quit [Ping timeout: 260 seconds]
melvster has quit [Ping timeout: 260 seconds]
Myagui has joined #bitcoin-wizards
damethos has quit [Quit: Bye]
melvster has joined #bitcoin-wizards
cocoBTC has joined #bitcoin-wizards
arowser_ has joined #bitcoin-wizards
arowser has quit [Ping timeout: 264 seconds]
ThomasV has joined #bitcoin-wizards
Quanttek has joined #bitcoin-wizards
p15 has joined #bitcoin-wizards
GAit has quit [Quit: Leaving.]
Burrito has joined #bitcoin-wizards
dEBRUYNE_ has quit [Ping timeout: 246 seconds]
orik has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
Lightsword has quit [Quit: Lightsword]
ThomasV has quit [Ping timeout: 240 seconds]
rustyn has quit [Read error: Connection reset by peer]
paveljanik has joined #bitcoin-wizards
rustyn has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
<aj>
gmaxwell: hmm, there's no straightforward way to sign non-standard txns (like the "reveal private key" constructs we were discussing) using bitcoin core, is there?
<gmaxwell>
there is a known way to change bitcoin core so that it can sign for arbritary scripts... but no one has implemented it yet. Though for that particular script, it wouldn't work. (because you need to fix the nonce.)
ThomasV has joined #bitcoin-wizards
Guest36383 has joined #bitcoin-wizards
kang_ has quit [Quit: Page closed]
Guest36383 is now known as btcdrak
btcdrak is now known as Guest8622
Guest8622 has quit [Quit: Updating details, brb]
gielbier has quit [Changing host]
gielbier has joined #bitcoin-wizards
btcdrak_ has joined #bitcoin-wizards
btcdrak_ has quit [Client Quit]
Zamolxe has joined #bitcoin-wizards
btcdrak_ has joined #bitcoin-wizards
Zamolxe has left #bitcoin-wizards [#bitcoin-wizards]
btcdrak_ has quit [Client Quit]
btcdrak has joined #bitcoin-wizards
dEBRUYNE_ has joined #bitcoin-wizards
rdponticelli has joined #bitcoin-wizards
cocoBTC has quit [Remote host closed the connection]
damethos has joined #bitcoin-wizards
bramc has joined #bitcoin-wizards
LeMiner has joined #bitcoin-wizards
parzzix has joined #bitcoin-wizards
<parzzix>
Hello
<parzzix>
Was looking for suggestions on which Crypto coin would be best to start with..
<parzzix>
there are way to many options
<parzzix>
Somthing with a long forseable future
<sipa>
#bitcoin
sparetire_ has joined #bitcoin-wizards
rdponticelli has quit [Ping timeout: 260 seconds]
p15 has quit [Ping timeout: 260 seconds]
rustyn has quit [Read error: Connection reset by peer]
rustyn has joined #bitcoin-wizards
bramc has quit [Quit: This computer has gone to sleep]
<parzzix>
Ok, suggestion on BC wallet? I'm a linux user.
<fluffypony>
parzzix: #bitcoin
parzzix has left #bitcoin-wizards ["Leaving"]
dEBRUYNE__ has joined #bitcoin-wizards
dEBRUYNE_ has quit [Ping timeout: 246 seconds]
maaku has joined #bitcoin-wizards
maaku is now known as Guest9487
Guest9487 is now known as maaku
rustyn has quit [Read error: Connection reset by peer]
rustyn has joined #bitcoin-wizards
GfxdjGFhgF has joined #bitcoin-wizards
GfxdjGFhgF has quit [Client Quit]
wallet42 has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 260 seconds]
atgreen__ is now known as atgreen
Guyver2 has joined #bitcoin-wizards
Guest46756 has quit [Read error: Connection reset by peer]
bliljerk101 has joined #bitcoin-wizards
matsjj has quit [Remote host closed the connection]
damethos has quit [Quit: Bye]
GfxdjGFhgF has joined #bitcoin-wizards
Guest40994 is now known as grubles
grubles has quit [Changing host]
grubles has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
Tenhi_ has joined #bitcoin-wizards
<AdrianG>
my company is building a private blockchain-based product.
<AdrianG>
will go live in a few months, supposedly we already have business deals inked.
<kanzure>
and?
<AdrianG>
they decided to use a permissioned blockchain :<
<AdrianG>
our partner/clients are banks and govts. and they really cringe when they hear the word bitcoin, apparently
<bsm1175322>
And we really cringe when we hear "permissioned blockchain" -- because it's got another name: a fucking database.
<AdrianG>
yup.
<bsm1175322>
Did everyone cringe when they heard "internet" at first because it was full of porn?
<AdrianG>
bsm1175322: its just the hard cold reality, unfortunately.
<Taek>
a blockchain is a step better than a standard database, it's got history and a bunch of rules you can use to make sure every transaction was correct/sane
<bsm1175322>
Believe me, I know. But pandering to idiocy will get you nowhere. Educate...
<AdrianG>
bsm1175322: it was pointless.
<AdrianG>
blockchain - gud. bitcoin - bad.
<AdrianG>
its like it was burned into their heads with a hot wire.
<bsm1175322>
Taek: adding cryptography to databases needs to be done. Multiple histories is not a new thing with snapshotting.
<Taek>
bsm1175322: you don't need a blockchain to get the benefits of permissioned blockchains, but for many companies it's a significant step up from what they are currently doing
<bsm1175322>
There are a number of ways to take good ideas from bitcoin and add them to databases. But let's call a duck a duck: it's a database. And we should do all that.
<AdrianG>
besides, everyone seems to be convinced that bitcoin's 10 min confirmation times are really bad lol.
<AdrianG>
but instant confirmation on a private chain is a major improvement. lol.
<bsm1175322>
AdrianG: Because T+3 is better.
<AdrianG>
bsm1175322: our application has nothing to do with settlement.
<AdrianG>
we sell identity proofs/identity notarization type of thing
<bsm1175322>
The fact of the matter is that the financial world is adversarial. Instant confirmation times are a pipe dream because JP Morgan will never let Wells Fargo have the last word on whether a transaction is final.
<chmod755>
AdrianG, are you working for bitnation?
<AdrianG>
no, not bitnation
<AdrianG>
i think its best to keep my company name out of this discussion
<amiller_>
this seems like a better topic for #bitcoin unless you're going somewhere else with it
<kanzure>
agreed.
<AdrianG>
only technical discussion here?
<bsm1175322>
I do think there's a role for identity here (and back on topic): I recently proposed a "permissionsed blockchain" that was actually a pub/sub database. Wouldn't work for transactions though. But if I want to subscribe to your database updates...
<bsm1175322>
pub/sub has no consensus. There's no chain tip.
<kanzure>
yep, usually only technical, although theoretical work and speculation in many areas is ok
<AdrianG>
bsm1175322: there will be no subscriptions.
<amiller_>
AdrianG, yes! but technical can loosely include code, science, and even long term or "out there" ideas
<kanzure>
yup what amiller said
<sipa>
i think "permissionee blockchains" are very useful; except they're really just an auditable cryptographic transcript of another consensus system
<sipa>
it is not a database, it's an audit log.of one
<Taek>
^
<AdrianG>
sipa: the only problem nobody understands that. at the moment, it seems to be an attempt to fit a square peg into a round hole.
<katu>
bsm1175322: the only difference from pub/sub is plausible proof of history (ie timestamp) in otherwise centrally issued scenario
Emcy has quit [Ping timeout: 260 seconds]
<sipa>
AdrianG: agree, and it annoys me greatly :)
<AdrianG>
the major issue with using bitcoin for identity proof/notarization is possibly txn backlogs
<AdrianG>
from my perspective
<amiller_>
what's actually changed, then? i think there's an important shift but i don't quite have my finger on it... the techniques for audit logs have been around for a long time, auditing computer evidence has been an explicit property of many databases designs at least in theory
<AdrianG>
which can be unpredictable at times. i can live with 10 min conf times.
<sipa>
then revive chronobit :)
<bsm1175322>
It's not so simple. There's pub/sub, audit log, ACID databases, and PoW blockchains. I don't think I've heard anyone succinctly/correctly describe the spectrum.
<sipa>
it was the perfect, zero-cost, reliable, scalable timestamping system
<AdrianG>
perfect lol?
<katu>
amiller_: it's to have stronger guarantee than double entry
<sipa>
except it was written in perl, and needed p2pool :)
<Taek>
amiller_: I think one of the big differences is the amount of publicity the blockchain has. Nontechnical people in important positions are realizing how useful this stuff is b/c of the popularity.
<AdrianG>
perl is erfect ever real language.
<AdrianG>
sipa: why p2pool ?
<bsm1175322>
And nontechnical people are telling me how to write software. :-/
roconnor has joined #bitcoin-wizards
<bsm1175322>
not good...
<katu>
as arbitration of double entry disputes is costly (and prone to fraud). imagine if LIBOR rates were voted on blockchain, instead of mutual "cross checking"
<sipa>
AdrianG: too long to explain here; it actually has advantages (higher accuracy, as it timestamps into the p2pool sharechain), but it does rely on p2pool having a significant hashrate
<AdrianG>
sipa: what level of hashrate?
<AdrianG>
sipa: can i bribe some other miner to act as my pool for timestamping like that?
<sipa>
AdrianG: yes, that was the intent
roconnor has quit [Remote host closed the connection]
<kanzure>
katu: i could easily come up with a "on-blockchain libor scheme" that is vulnerable to collusion. i'd certainly prefer any on-blockchain libor scheme over the alternatives anyway, but that's beside the point i think.
<sipa>
AdrianG: miners get paid for commitments, and they store a merkle root in the chain, and givr you the branch
<bsm1175322>
Thanks sipa, I hadn't seen Chronobit. So the only reason it's a better timestamp server is faster block rate?
<sipa>
it has o(1) overhead per time unit, doesn't bloat the blockchain or thenutxo set, is reliable (if adopted by miners), ...
<AdrianG>
sipa: minerS or a single large mining pool enough?
<bsm1175322>
FWIW I can build a VERY accurate (as fast as the network will allow) timestamper on top of a DAG-chain...
<AdrianG>
we can pay miners for that.
<bsm1175322>
Because I can get rid of the block time. The effective resolution becomes the propagation time across the network.
<katu>
kanzure: the point is always about disputes - what happens when somebody rigs the system? the matter of proof of knownledge (though i think they dont even do that, maybe they should consider it first) are onchain or pub/sub indeed is unrelated.
<katu>
kanzure: ie the argument that trying to rig the system (i think thats equivalent to trying to corner the market?) just becomes accepted reality. "machines"/"hashpower" being the ultimate jury.
roconnor has joined #bitcoin-wizards
<AdrianG>
chmod755: bitnation is interesting.
<chmod755>
AdrianG, I'm going to test their service on dec 1